[solved] Cloudlinux PHP LSAPI "say no to suexec"

Okay well here is a question for you, I have been in a long discussion with Igor regarding suexec vs lsapi php security... Because we are using CageFS the user can only see their own files... but if you use suexec then and attacker can delete a customers site and or easily add malicious code to their files.

Because CageFS already provides the benefit of preventing a user from accessing the other users files, couldnt we just cage php lsapi and not use suexec

here is Igor's response:

You can check with LiteSpeed regarding doing LVE/CageFS without suexec. I believe they might be able to do CageFS without suexec, as they still terminate apache request after it served the request.

Either that or add a suexec ForceUID option just like you have the forcegid option... that way even though we are in suexec mode the user can be forced to something different than the user that owns the files..... this way it since suexec already work in cagefs it would be a no brainer to prevent deletion of files

But isnt it true that LVE controls dont work in suexec mode? so wouldnt my above recommendation of CageFS +php lsapi work with LVE???

Okay well here is a question for you, I have been in a long discussion with Igor regarding suexec vs lsapi php security... Because we are using CageFS the user can only see their own files... but if you use suexec then and attacker can delete a customers site and or easily add malicious code to their files.
...
But isnt it true that LVE controls dont work in suexec mode? so wouldnt my above recommendation of CageFS +php lsapi work with LVE???

Click to expand...

suEXEC needs to be enabled for CageFS to work. pls pm the steps to reproduce the issue so we can look into it.

Okay well here is a question for you, I have been in a long discussion with Igor regarding suexec vs lsapi php security... Because we are using CageFS the user can only see their own files... but if you use suexec then and attacker can delete a customers site and or easily add malicious code to their files.

Because CageFS already provides the benefit of preventing a user from accessing the other users files, couldnt we just cage php lsapi and not use suexec

here is Igor's response:

You can check with LiteSpeed regarding doing LVE/CageFS without suexec. I believe they might be able to do CageFS without suexec, as they still terminate apache request after it served the request.

Either that or add a suexec ForceUID option just like you have the forcegid option... that way even though we are in suexec mode the user can be forced to something different than the user that owns the files..... this way it since suexec already work in cagefs it would be a no brainer to prevent deletion of files

But isnt it true that LVE controls dont work in suexec mode? so wouldnt my above recommendation of CageFS +php lsapi work with LVE???

Click to expand...

Yes, it is on our to-do list of our lsphp suEXEC daemon development, will be in our 4.2 release.

Once enabled PHP suEXEC daemon mode, you can change "Enable LVE" configuration to "CageFS without suEXEC". If cagefs is disabled for that user or failed to enter the cage, PHP will change user ID (back to default suEXEC mode).

This is amazing, it solves security for both server and customer, no longer will people have to settle on a half arse bandaid solution like suexec or suphp

tested and working though you might want to note, for it to work because it forces group nobody... on directadmin servers you must turn off secure access group

@mistwang

thank you so much, is there a chance we can define the group it operates in, instead of group nobody, so we can continue to use secure access group setting in directadmin? its sort of redundant but would be nice to have for users are not mounted in cagefs

Hello,
Can someone post a guide about How to correctly enable cagefs without suexec?

If I already have a lot of sites with owner, How can I do that?
I mean: now I've suexec enabled, user john is the owner of john's website folder. If I enable cagefs without suexec, all the files become unwriteable, because litespeed run with user nobody.

How can I use this feature? Is this feature important about security and performance or can I keep suexec enabled?